Design and Semantics of a Decentralized Authorization Language

Moritz Y. Becker, Cedric Fournet, and Andrew D. Gordon

Abstract

We present a declarative authorization language that strikes

a careful balance between syntactic and semantic simplicity,

policy expressiveness, and execution efficiency. The syntax

is close to natural language, and the semantics consists

of just three deduction rules. The language can express

many common policy idioms using constraints, controlled

delegation, recursive predicates, and negated queries. We

describe an execution strategy based on translation to Datalog

with Constraints, and table-based resolution. We show

that this execution strategy is sound, complete, and always

terminates, despite recursion and negation, as long as simple

syntactic conditions are met.

Details

Publication typeInproceedings
Published in20th IEEE Computer Security Foundations Symposium (CSF)
> Publications > Design and Semantics of a Decentralized Authorization Language